In addition to its many other use cases, single sign-on (SSO) works well for Kubernetes authentication. The benefits of using SSO for Kubernetes include simplified account management and provisioning and self-service for developers.
Developers use a variety of online tools to create and test applications and collaborate with teammates, such as Git repositories, project management boards, and communication channels. If they need a separate set of credentials for their Kubernetes clusters, they must take extra steps to ensure their data is safe, which raises the possibility of errors. By using SSO, developers can authenticate into their cluster with the same credentials they use for other tools.
This tutorial will delve into SSO for Kubernetes and how to implement GitHub SSO with your Kubernetes cluster.
#What Is SSO for Kubernetes?
SSO for Kubernetes is the integration of SSO in your Kubernetes cluster. It allows developers to authenticate using their credentials from the authorized identity providers that you have configured in your cluster.
SSO is useful when you want to provide self-service for developers in your cluster. Once SSO is set up with the required permissions and limits for each of the developers, they can configure what they need in the cluster within the boundaries of their permissions and limits.
#Implementing GitHub SSO for Kubernetes
You’re going to implement GitHub SSO in a Kubernetes cluster. For this tutorial, you will set up the cluster using minikube. Check the documentation to see how to set up minikube on your computer. You’ll also need a GitHub account. If you don’t have one, go ahead and create one.
Once your prerequisites are set up, you’ll need to configure Loft. Loft is a self-service platform that enables you to control your Kubernetes clusters from a single-point entry. It provides many functionalities, including the ability to allow your Kubernetes developers to authenticate to your cluster using their GitHub accounts.
#Configuring Loft in Your Cluster
Open your terminal and start a cluster using minikube:
You can skip the above step if you aren’t using minikube and you already have a cluster with
ingress-controller installed and configured.
Download the Loft CLI using the appropriate command for your terminal, as seen below:
# Mac terminal curl -s -L "https://github.com/loft-sh/loft/releases/latest" | sed -nE 's!.*"([^"]*loft-darwin-amd64)".*!https://github.com\1!p' | xargs -n 1 curl -L -o loft && chmod +x loft; sudo mv loft /usr/local/bin;
# Linux Bash curl -s -L "https://github.com/loft-sh/loft/releases/latest" | sed -nE 's!.*"([^"]*loft-linux-amd64)".*!https://github.com\1!p' | xargs -n 1 curl -L -o loft && chmod +x loft; sudo mv loft /usr/local/bin;
# Windows PowerShell md -Force "$Env:APPDATA\loft"; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'; Invoke-WebRequest -UseBasicParsing ((Invoke-WebRequest -URI "https://github.com/loft-sh/loft/releases/latest" -UseBasicParsing).Content -replace "(?ms).*`"([^`"]*loft-windows-amd64.exe)`".*","https://github.com/`$1") -o $Env:APPDATA\loft\loft.exe; $env:Path += ";" + $Env:APPDATA + "\loft"; [Environment]::SetEnvironmentVariable("Path", $env:Path, [System.EnvironmentVariableTarget]::User); # Ensure you add the folder %APPDATA%\loft to the PATH environment variable after installation, then reboot your computer afterward.
Once you have successfully installed the Loft CLI, run the following command in your terminal:
It will ask which cluster you want to deploy Loft in, assuming you have multiple clusters configured in your
kube-config file. Then, it will request your email address and deploy Loft into your cluster via Helm.
Once you deploy Loft, you can continue using the password generated by the Loft CLI or reset it. If you want to reset the password, open a new terminal and run:
loft reset password
Type in a secure password and press Enter.
loft start is still running in the background, open another terminal to sign in to your cluster via the CLI:
loft login https://localhost:9898 --insecure
You appended the
--insecurecommand because Loft generated a self-signed SSL certificate for the localhost domain. You also must accept the untrusted self-signed certificate before you can view the login page. However, once you connect a domain to Loft, you can provide a valid SSL certificate for the domain.
Loft automatically opens the login page:
Input your email and password, and on the next page, complete your profile. Then, you’ll see your Loft dashboard:
You have successfully set up Loft in your cluster. Next, you’ll configure GitHub with Loft so that your developers can use their GitHub accounts to authenticate into your cluster.
#Configuring GitHub with Loft
Create a new OAuth app with the following information:
- Application name: Loft GitHub SSO
- Homepage URL: https://localhost:9898
- Application description: “My Favorite Cluster”
- Authorization callback URL: https://localhost:9898/auth/github/callback
Click the Register application button. The button redirects you to a new page showing details of your application configuration. The
ClientSecret are going to be useful for your Loft admin config, so don’t close the page yet.
In your Loft dashboard, click the Admin label on the left sidebar:
Then, paste the following in the
Loft Configuration text field:
auth: github: clientId: $CLIENTID clientSecret: $CLIENTSECRET redirectURI: $CALLBACK_URL
Replace $CLIENTID and $CLIENTSECRET with the generated values provided by GitHub, then replace $CALLBACK_URL with the same Authorization callback URL you entered when creating the new OAuth app on GitHub. Scroll down and click the Apply button.
Return to the terminal, where you should run the following commands:
loft login https://localhost:9898 --insecure
#Impersonating a Developer
Now, pretend you’re a developer who wants to access your company’s Kubernetes cluster using your GitHub account.
Open https://localhost:9898/ in an incognito window, and you’ll see a new button (Sign in with GitHub) on the login page:
Click on the button to sign in. Loft redirects you to GitHub, which prompts you to authenticate your GitHub account and requests that you authorize the
Loft GitHub SSO application you created. Then, it redirects you to the Loft domain to complete your profile.
Once you have completed the form, you are recognized as one of the company’s Kubernetes users via Loft. However, you don’t yet have access to the cluster, so the administrator will have to grant you access.
#Granting Developers Access to a Cluster
Once a developer authenticates via GitHub SSO, you will have to assign the developer to the cluster. To do this, log in to your Loft dashboard using your admin credentials. Go to the Users page; the developer you impersonated via SSO is now present:
Click on Clusters on the left menu, then click on Cluster Access. Click on the Create Cluster Access button:
Fill in the necessary details and click Create:
Return to the incognito browser and visit the Clusters page. You as a developer should now have access to the cluster:
Whenever a developer wants to use any cluster they have access to, they should run the command below:
loft use cluster [NAME_OF_CLUSTER]
The developer can connect to a cluster by visiting the Clusters page in their Loft dashboard, then hovering their mouse on the cluster they want to use and clicking Connect, as seen below:
Kube config will be automatically updated, and they can access the cluster via kubectl.
Integrating SSO in your Kubernetes cluster can improve the workflow for all users of the clusters, including developers and administrators. The administrators don’t need to do as much work configuring developers for authentication to the cluster they manage, and developers can use the same authentication credentials they use with their other work apps to authenticate into their company’s cluster. Integrating Loft with GitHub SSO helps you improve the developer experience (DX) of your cluster.
Loft is a great tool for improving DX and cluster management. With Loft, you can incorporate self-service into your clusters, giving developers autonomy to access sections of the clusters that have been provided for them via namespaces. Developers can debug issues on their applications and within the clusters without having to rely on IT support. Because SSO works with multiple applications, you can integrate your Kubernetes cluster access with GitHub, Google, and LinkedIn, as well as other options.